Microsoft rolled out security patches as part of March 2025 Patch Tuesday release addressing more than 50 vulnerabilities across its suite of software, including six zero-day flaws that have been actively exploited in the wild.
The six zero-day vulnerabilities are as follows:
-
CVE-2025-24983 – Windows Win32 Kernel Subsystem Use-After-Free (UAF). The vulnerability allows an attacker with local access to elevate privileges on the system. Exploiting this flaw could give malicious actors the ability to execute arbitrary code with elevated system privileges.
-
CVE-2025-24984 – Windows NTFS Information Disclosure. Affects Windows NTFS, this flaw allows an attacker with physical access to the target device to insert a malicious USB drive.
-
CVE-2025-24985 – Windows Fast FAT File System Driver Integer Overflow. An integer overflow vulnerability in the Windows Fast FAT file system driver could allow an attacker to execute arbitrary code locally.
-
CVE-2025-24991 – Windows NTFS Out-of-Bounds Read. This vulnerability could allow an attacker with authorized access to disclose sensitive information locally.
-
CVE-2025-24993 – Windows NTFS Heap-Based Buffer Overflow. A buffer overflow vulnerability in Windows NTFS, allowing attackers to execute code with elevated privileges.
-
CVE-2025-26633 – Microsoft Management Console Improper Neutralization. The vulnerability in the Microsoft Management Console could allow an attacker to bypass security features and gain unauthorized access to the system.
CVE-2025-24983 has been actively exploited by cybercriminals to install a backdoor called ‘PipeMagic.’
According to ESET, PipeMagic was discovered as part of a cyberattack campaign in late 2024 that targeted entities in Asia and Saudi Arabia. The malware was distributed in the form of a fake OpenAI ChatGPT application, tricking users into installing it on their devices. Once installed, the backdoor provides attackers with persistent access to compromised systems, making it easier for them to deploy further malicious payloads.
“The vulnerability is a use after free in Win32k driver. In a certain scenario achieved using the WaitForInputIdle API, the W32PROCESS structure gets dereferenced one more time than it should, causing UAF. To reach the vulnerability, a race condition must be won,” ESET explained.
“The exploit targets Windows 8.1 and Server 2012 R2. The vulnerability affects OSes released before Windows 10 build 1809, including still supported Windows Server 2016. It does not affect more recent Windows OSes such as Windows 11.”
In addition to above mentioned flaws, Microsoft addresses a slew of high-risk vulnerabilities affecting Microsoft Excel, Microsoft Office, Microsoft Windows Mark of the Web, Windows File Explorer, Microsoft Word, Microsoft Access, and other software products.
